Efficient detection of suspicious DNS traffic by resolver separation per application program

Abstract

With the development of ICT (Information and Communication Technology), computer and the Internet have become indispensable for people's social activities while cyber security threats keep on increase trend. Unfortunately, the current popular security facilities cannot efficiently detect cyber attacks due to a tremendous amount of network traffic needs to be analyzed. In this paper, we focus on DNS (Domain Name System) name resolution and propose an efficient detection method of suspicious DNS traffic by resolver separation per application program. Based on that almost all kinds of software including malware use DNS name resolution, in the proposed method, the DNS queries will be forwarded to different DNS full resolver per application program. The DNS queries from well-known application programs such as Internet browsers and anti-virus software will be forwarded to a normal DNS full resolver while others from unknown application programs such as malware will be forwarded to a highly-monitored DNS full resolver. Consequently, the DNS queries from unknown application programs can be detected immediately since there will be only little DNS traffic need to be analyzed compare to the whole network traffic. We implemented a prototype system on a windows operating system and evaluated the features on a local experimental network. According to the evaluation results, we confirmed that the proposed method can precisely forward the DNS queries based on the application programs correctly, and also the DNS queries are logged on the client by mapping with the corresponding application program which initialized the DNS queries.